By Charles Odendaal, last updated: 2026/05/04

EXECUTIVE SUMMARY

Modern legal ethics require more than just a basic firewall. Today, lawyers have a professional duty to use data encryption to protect client secrets. This article explains the ethical necessity of encryption and why “perimeter defense” is no longer enough.

Key takeaways for legal professionals:

• Ethical Mandate: Specifically, ABA Rules 1.1 and 1.6 require “reasonable efforts” to prevent unauthorized data access.
• Beyond Firewalls: A firewall stops intruders at the door. However, encryption protects the data if an intruder gets inside.
• Two Fronts: Firms must encrypt data “at rest” (on hard drives) and “in transit” (in emails).
• The MSSP Role: Consequently, an MSSP ensures these complex tools are always active and updated.

For decades, law firms relied on firewalls as their primary defense. The idea was simple: build a digital wall and keep hackers out. However, the modern threat landscape has changed. Today, hackers often bypass walls using phishing or stolen credentials. Consequently, a firewall alone is no longer a “reasonable effort” to protect client data.

To meet your ethical duties, you must look beyond the perimeter. Specifically, you must implement robust data encryption. In the legal world, encryption is the final layer of protection for attorney-client privilege.

The Ethical Duty of Technical Competence

Cybersecurity is now a matter of professional ethics. ABA Model Rule 1.1 requires lawyers to provide competent representation. Specifically, Comment 8 states that lawyers must understand the “risks and benefits associated with relevant technology.”

Furthermore, Rule 1.6 mandates the protection of client confidentiality. Therefore, if a firm loses unencrypted data, the partners may face disciplinary action. “I am not a tech expert” is no longer a valid defense. Instead, lawyers must ensure their data is unreadable to anyone without authorization.

Encryption “At Rest”: Protecting Your Hardware

Data “at rest” refers to files sitting on your hard drives, servers, or cloud storage. In a busy firm, hardware often leaves the office. Laptops are taken to court, and tablets are used in coffee shops.

If a laptop is stolen, a firewall cannot help you. However, if that laptop uses full-disk encryption (like BitLocker), the data is safe. Without the encryption key, the thief sees only gibberish. Consequently, the loss of a device becomes a hardware problem rather than a massive data breach.

Encryption “In Transit”: Securing Communication

Data “in transit” is any information moving across the internet. This includes emails, file uploads, and messages to clients. Standard email is often like a postcard; anyone who handles it can read it.

To protect the privilege, you must use encryption in transit. Specifically, you should use secure client portals or encrypted email services. Therefore, even if a hacker intercepts your message, they cannot read your legal strategy or sensitive attachments.

Why Generic IT Often Fails at Encryption

Many firms rely on general IT providers. Unfortunately, these providers often treat encryption as an “extra” feature. They might turn it on once but fail to monitor it.

In contrast, a specialized Managed Security Service Provider (MSSP) makes encryption a core requirement. Specifically, they use automated tools to ensure every device in your firm is encrypted 24/7. Furthermore, they provide the “audit trail” you need to prove compliance to insurance carriers and bar associations.

The Bottom Line

A firewall is a good start, but it is not the end of your security journey. In a world of sophisticated cyberattacks, encryption is your most reliable defense.

Protecting client secrets is your highest calling as a lawyer. By moving beyond the basic firewall, you honor your ethical obligations. You also build a firm that is truly resilient in the digital age. For the modern practice, encryption is not just a technical setting. Instead, it is a professional necessity.